Millions of sensitive files on a storage server belonging to the Oklahoma Department of Securities were left exposed for a week – including credentials, internal docs and personal data stretching back decades.
Researchers at UpGuard who discovered the data leak said that the publicly accessible data totaled a whopping three terabytes. The more severe types of files exposed included documents detailing FBI investigations, Social Security numbers for ten thousand brokers, credentials for remote access to Oklahoma Department of Securities workstations – and even a list of data relating to AIDS patients, including patient names.
“The amount, and reach, of administrative and staff credentials represents a significant impact to the Oklahoma Department of Securities’ network integrity,” said UpGuard in a Wednesday post detailing the leak. “The contents of those files ran the gamut from personal information to system credentials to internal documentation and communications intended for the Oklahoma Securities Commission.”
The Oklahoma Securities Commission, part of the state’s Department of Securities, ensures that individuals and firms in the financial trade markets follow the regulations that prevent fraud.
The data was exposed through an unsecured rsync service, which is is a utility for synchronizing files across computer systems. It resided at an IP address registered to the Oklahoma Office of Management and Enterprise Services, researchers said. That allowed any user from any IP address to download all the files stored on the server.
The server was first registered on Shodan as publicly accessible on Nov. 30, and it laid open for a week before UpGuard analysts discovered it on Dec. 7. The firm notified Oklahoma on Dec. 8., which is when public access was removed, said researchers.
The data exposed was generated over decades, with the oldest information coming from 1986 and the most recent last modified in 2016.
Much of the exposed information was about individuals that were involved in the exchange of financial securities. That includes individuals who may have been operating under larger organizations, or other times acting as individuals.
For instance, a CSV file was found, labeled “IdentifyingInformation.csv,” which featured data like date, country and state of birth, gender, height, weight, hair color and eye color for over a hundred thousand financial brokers.
And, one database related to viators (a financial vehicle through which terminally ill patients can sell their life insurance benefits) contained data related to people with AIDS – including patient names and T-cell counts.
Also exposed were an array of databases and spreadsheets that contained various kinds of credentials: including VNC credentials for remote access to Oklahoma Department of Securities workstations, credentials for third parties that submitted securities filings, and usernames/passwords for IT services accounts like Symantec Protection Suite, Tivoli and others.
“Exposed system credentials can carry the highest risk for large-scale abuse,” UpGuard researchers said. “Not only can credentials be used to gather PII, but in offering access to systems themselves they may be used to modify files– for example, for the purpose of further distributing malware– or to gather information that is intentionally obscured in its storage format.”
Finally, the Oklahoma rsync server exposed a swathe of business-related data, including commissioners’ email histories, supporting files for Department of Securities investigations and spreadsheets outlining the timeline for investigations by the FBI and people they interviewed.
“Sensitive data is often shared in vulnerable places, so Oklahoma’s potential breach of 3TB of FBI data isn’t especially shocking,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said in an email. “However, if we examine securities.ok.gov, it appears that the state is not using trusted machine identities, like TLS keys and certificates. Today, browsers are marking this site as ‘not secure,’ because it is not using HTTPS encryption. This means that browsers do not trust the machine identities used to identify Oklahoma’s servers.”
Researchers stressed the importance of maintaining control over data storage.
“Businesses and organizations naturally accumulate stores of data, both because of the value of that data and to comply with retention policies,” they said. “Creating backups is a good practice to increase resilience in the face of attacks like ransomware. Backups are also necessary for migrations to ensure data can be recovered as businesses adopt newer and more secure technologies. But as this case highlights, the final crucial step is to maintain control over every copy of those data stores.”
A spokesperson for the Oklahoma did not respond immediately to Threatpost’s comments.
Interested in learning more about data breach/exposure trends? Join the free Threatpost webinar on Wednesday, Jan. 23 at 2 p.m. ET, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.